Memorandum of Understanding 


The Information Commissioner 
and 
Smart Energy Code Company Limited 


Introduction 


1; 


This Memorandum of Understanding (MoU) establishes a framework 
for co-operation and information sharing between Smart Energy 
Code Company Limited (SECCo) and the Information Commissioner 
(the Commissioner) in connection with the sharing of relevant 
information and intelligence, set out at 14 below. It sets out the role 
of each organisation and documents the practical working level 
arrangements between the Commissioner and SECCo. 


The Commissioner and SECCo will monitor the operation of this 
memorandum and will review it, initially after six months from the 
date of this document, and subsequently from time to time as 
necessary. 


Any changes to this memorandum identified between reviews may 
be agreed in writing between the parties. 


Any issues arising in relation to this memorandum will be notified to 
the point of contact for each organisation (referred to in 27 below). 


This memorandum is a statement of intent that does not give rise to 
legally binding obligations on the part of either the Commissioner or 
SECCo. 


Functions and powers of Commissioner 


6. 


The Commissioner is a corporation solely appointed by Her Majesty 
the Queen under the Data Protection Act 1998 and Freedom of 


Information Act 2000 to act as the UK's independent regulator 


promoting public access to official information and protecting 
personal data. 


The Commissioner regulates the Data Protection Act 1998 (DPA), 
the Freedom of Information Act 2000 (FOIA), the Privacy and 
Electronic Communications (EC Directive) Regulations 2003 (PECR), 
the Environmental Information Regulations 2004 (EIR) and the 
INSPIRE Regulations 2009. 


10. 


Section 51 of the DPA places a duty on the Commissioner to 
promote the following of good practice by data controllers and the 
observance of the requirements of the DPA by organisations. 


Where the Commissioner is satisfied that any of the data protection 
principles or certain provisions of PECR have been breached, a 
number of steps can be taken to seek to change the behaviour of 
the organisation including: 


serving information notices requiring organisations to provide the 
Information Commissioner's Office with specified information 
within a certain time period; 

issuing undertakings committing an organisation to a particular 
course of action in order to improve its compliance; 


serving enforcement notices where there has been a breach, 
requiring organisations to take (or refrain from taking) specified 
steps in order to ensure they comply with the law; 


conducting consensual assessments to check organisations are 
complying; and 

issuing monetary penalty notices, requiring organisations to pay 
up to £500,000 for serious breaches. 


The Commissioner may also prosecute those who commit criminal 


offences under the DPA. 


Functions of SECCo 


LL, 


12. 


13. 


SECCo is the corporate vehicle established to support the Smart 
Energy Code Panel business. All contracts with the Smart Energy 
Code Panel are held with SECCo. 


The Smart Energy Code Panel has been established in order to 
undertake the duties set out within the Smart Energy Code. This 
includes appointing an Independent Privacy Auditor who will 
úndertake Privacy Assessments of Users of the Data 
Communications Company who may be granted access to Smart 
Metering Systems where they are not the Registered Supplier or 
Registered Network Operator. The assessment process is outlined in 
Section 12 of the SEC and verifies that the User is compliant with 
the SEC and has systems and processes in place to comply with 
their obligations. 

The Smart Energy Code places a duty on the Smart Energy Code 


Panel to review the outcome of the Privacy Assessments and set the 
Assurance Status and determine the appropriate course of action. 


14. Where the Smart Energy Code Panel is satisfied that an actual or 
perceived material non-compliance has been identifted by the Data 
Privacy Auditor, a number of steps can be taken to seek to change 
the behaviour of the User including: 


9 seeking additional information from the Independent Privacy 
Auditor; 

o seeking additional information from the User; 

a setting the Assurance Status to deferred to stop the User from 


communicating remotely with Smart Meters via the Data 
Communications Company; and 


o in the event of an actual non-compliance provide the 
Information Commissioner with a report detailing the findings 
and actions taken to date. 


Cooperation between the Commissioner and SECCo 


15. Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
SECCo agree that they will alert the Commissioner to any potential 
breaches of the legislation he regulates discovered whilst 
undertaking their duties, and provide relevant supporting 
Information and intelligence. 


16. Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise} and his discretion, the 
Commissioner agrees that he will alert SECCo to any potential 
breaches of best practice, or information relevant to the functions 
set out at 11 to 14 above, discovered whilst undertaking his duties, 
and provide relevant supporting information. 


17. Subject to any legal restrictions on the disclosure of information 
(whether imposed by statute or otherwise) and at their discretion, 
both parties will: 


a) Communicate regularly to discuss matters of mutual interest 
(this may involve participating in multi-agency groups to 
address common issues and threats); and 


b) Consult one another on any issues which might have 
significant implications for the other organisation. 


Sharing information 


18, 


19: 


20. 


21: 


22. 


23. 


24. 


ZO 


Subject to any disclosure restrictions applicable to SECCo, they may 
disclose confidential information to the Commissioner to facilitate 
the carrying out of any required function of the Commissioner or a 
statutory function of the Commissioner, as set out in 8, 9 and 10 
above. 


Where SECCo wishes to disclose to the Commissioner Information 
necessary for the discharge by the Commissioner of his functions 
under the DPA (or under FOIA), section 58 DPA provides that no 
enactment or rule of law prohibiting or restricting the disclosure of 
information shall preclude SECCo from furnishing such information 
to the Commissioner. 


In respect of information obtained by or furnished to the 
Commissioner for the purposes of his functions under the 
Information Acts, it is an offence under section 59 DPA for any 


current or former member of the Commissioner's staff or his agent 
to disclose such information without lawful authority. 


Section 59(2)(e) DPA provides that a disclosure by the Information 
Commissioner of information obtained by or furnished to him is 
made with lawful authority where, having regard to the rights and 
freedoms or legitimate interests of any person, the disclosure is 
necessary in the public interest. 


Section 59(2)(c) of the DPA provides that a disclosure by the 
Information Commissioner of information obtained by or furnished 
to him is made with lawful authority where the disclosure is made 
for the purposes of, and necessary for, the discharge of any 
functions under the Information Acts. 


In addition, section 59(2)(d) DPA provides that a disclosure of 
information by the Information Commissioner is made with lawful 
authority where the disclosure is made for the purposes of any 
proceedings, whether criminal or civil, 


The Commissioner may, at his discretion and in accordance with 
sub-sections 59(2)(c), (d) and/or (e) DPA, disclose confidential 
information to SECCo, where this is necessary for performing the 
functions set out at 6 to 10 above. 


If information to be disclosed by the Information Commissioner was 
received by him in the course of discharging his functions as a 
designated enforcer under the Enterprise Act 2002, any disclosure 


shall be made in accordance with the restrictions set out in Part 9 of 
that Act. 


26. Where a request for information is received by either party under 
the DPA, FOIA or EIR, the recipient of the request will seek the 
views of the other party where the information being sought under 
the request includes information obtained from, or shared by, the 
other party. However the decision to disclose or withhold the 
information remains with the recipient party. 


Points of contact 


27. 


SECCo Information Commissioner 


Sarah Gratte, Senior Delivery Manager | Adam Stevens, Intelligence 


— SMART Hub Manager 
Gemserv Wycliffe House 
8 Fenchurch Place Water Lane 
London Wilmslow 
EC3M 4A) SK9 5AF 


— 


SECCO Information Commissioner 


(Signature) (Signature) 


CUAL IETS li Elda, 


(Peter Davies, SECCo Chairman) vs Ue) CO Py or 


(Date) Walıe (Date) 16 | 3 | IC 


